User of Oracle software will enjoy another busy month, applying as many as 237 patches released in its January Critical Patch Update. Three of the security flaws are rated 9.8 out of 10 for criticality among the many vulnerabilities fixed by Oracle this month
These three flaws affect Fusion Middleware, PeopleSoft and Retail Applications, and organisations running the software have been urged to patch as a matter of urgency before exploits are developed to take advantage of them.
In addition, Oracle has also issued a patch for the MICROS Handheld Terminal - MICROS being the target of particularly sophisticated attacks in 2016, which Oracle remains tight-lipped about.
A successful attack against Oracle E-Business Suite allows an attacker to steal and manipulate business-critical information
The most vulnerable application, according to ERP security specialists ERPScan, is Oracle Financials, with IT departments charged with applying 34 patches this month. "However, not only the number but the criticality of issues is alarming. Thirteen of them can be exploited over the network without entering user credentials," ERPScan warned.
Fusion Middleware and the MySQL open-source database are not far behind with 27 and 25 respectively.
"Between this and the previous Critical Patch Updates, Oracle urgently closed severe issues including a vulnerability dubbed JoltandBleed (CVE 2017-10269)... This vulnerability allows an attacker to gain full access to all data stored in the following ERP systems:
- Oracle PeopleSoft Campus Solutions;
- Oracle PeopleSoft Human Capital Management;
- Oracle PeopleSoft Financial Management; and
- Oracle PeopleSoft Supply Chain Management."
Eight of the 15 fixes for Oracle PeopleSoft can be exploited over a corporate network without requiring user credentials - one of the three vulnerabilities rated at 9.8 out of ten.
Oracle E-Business Suite is Oracle's main business software, for which the company is providing seven patches - four of which can be exploited over a network without credentials.
"A successful attack against Oracle E-Business Suite allows an attacker to steal and manipulate business-critical information, depending on modules installed in an organisation," warned ERPScan, with the most severe vulnerability rated at 9.1 out of 10.
Not only the number but the criticality of issues is alarming. Thirteen of them can be exploited over the network without entering user credentials
The company also highlighted three particular vulnerabilities patched by Oracle this month, all of them described as "easily exploitable". These include patches for:
- Sun ZFS Storage Appliance Kit;
- Oracle WebLogic Server component of Oracle Fusion Middleware;
- Oracle Directory Server Enterprise Edition, where vulnerabilities could result in a takeover of the entire package;
- Oracle Retail Convenience and Fuel POS Software, which features vulnerabilities that could "result in takeover of Oracle Retail Convenience and Fuel POS software"; and,
- PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil.
While 237 patches may sound a lot, that is stretched out over a wide range of applications and is by no means Oracle's busiest month - that was in July 2017, when the company issued 308 patches.
ERPScan, though, notes that the average number of patches issued by Oracle every month has more-or-less doubled in just the past three years.
Microsoft seizes control of phishing sites linked with Russian state hackers
Fitness trackers over-estimate the number of steps their users take, analysis of 67 research reports suggests
Everything we think we know about the imminent Apple iPhone 9, iPhone 11 and iPhone 11 Plus launches
All the latest rumours about Apple iPhone Displays, CPUs, launch dates and even prices
Nvidia brings Turing microarchitecture into the high-end gaming segment